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Intro — Course Goals 


Learn About Fuzzers 

© Write your own protocol specification in boofuzz 
© Use your fuzzer to find bugs 

©??? 


e Profit 


Intro — Me 


Joshua Pereyda 
© Software Engineer in Security 


© Experience fuzzing 
professionally 


Maintains boofuzz 


Oracle Cloud Infrastructure 


@jtpereyda 


Outline 


© Lecture: Fuzzing Intro 

© Lecture: Basic Techniques with boofuzz 
Exercise 1 — Target Practice 

© Exercise 2 — Target Practice 2 

© Exercise 3 — On Your Own 


© Lecture: Reverse Engineering ść Advanced Topics 
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© Fuzzing & Fuzzing Techniques 


Current Tools 
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© Fuzzing & Fuzzing Techniques 


Current Tools 


Security Research 


© Vulnerability Research — Look for problems 


© Exploit Development — Exploit problem to impact 
security 


Fuzzing 


© Vulnerability research tool 
Generate invalid/unexpected inputs 


Detect failure (typically segfault/crash/etc.) 


DH © Do © © © 


Fuzzing vs. Scanning 


Scanning 
Automated 
Easily deployed vs. new targets 
Look for known issues 
Non-destructive 
Operational activity 
Low to no instrumentation 
Run in prod © 


Easy to scale 


© © OCOD © © © 


Fuzzing 
Automated 
New targets require engineering/config 
Look for unknown issues (0-days) 
Destructive 
Development activity 
More instrumentation => More value 
Run in prod © 


Scalable but with more effort 


Origins: 1988 


© Developed by Dr. Barton Miller at UW Madison as a class 
project 
© Fed random input to Unix utilities 


© Crashed over 25% of tested commands, including emacs, vi, make, 
telmetzcsh Hip lexi tenetis 


© Miller was surprised at the number of failures found 


© Key development: Use randomness to violate assumptions. 


curl 'fj48914309qr2p3 rim e/resd,fa;wf.,4vp16v3/5p.vl;ul.6.ty[5p16[4[1]4\5][13]5123' 


Origins 


© 1950s — Punch cards from trash bin fed into program to 
evaluate robustness "7 — er 


FORTRAN STATEMENT 


© 1988 — First use of term “fuzzing” 


Origins: 1988 


© Developed by Dr. Barton Miller at UW Madison as a class 
project 
© Fed random input to Unix utilities 


© Crashed over 25% of tested commands, including emacs, vi, make, 
telmetzcsh Hip lexi tenetis 


© Miller was surprised at the number of failures found 


© Key development: Use randomness to violate assumptions. 


curl 'fj48914309qr2p3 rim e/resd,fa;wf.,4vp16v3/5p.vl;ul.6.ty[5p16[4[1]4\5][13]5123' 


Command Line to Network Protocols: ~2000 


PROTOS project, University of Oulu, Finland 
© Found vulnerabilities in 40 of 49 products 
© 14 vulnerable to remote code execution (RCE) 


€ Used a structured, generational, or “smart” fuzzing 
approach 


e Procedural, not random 


Generational (“Smart”) Fuzzing 


IPv4 Header Format 
1 2 3 


9 |10 11 | 12 | 13 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 
Version DSCP ECN Total Length 
Identification Flags Fragment Offset 
Time To Live Protocol Header Checksum 
Source IP Address 


Destination IP Address 


Options (if IHL > 5) 


Protocol Fuzz Test Case Example 


-> Anomalous Message 
© <- Response (optional) 
© Health Check 

© -> Request 

© <- Response 

© If no response: 


© Log failure 
© Restart target 


Mutational Fuzzing 


© Start with a valid data sample 


© Mutate valid sample to get test cases 


Guided Fuzzing 


e Gray/ White Box 
© Utilize a metric to decide which mutations to emphasize 
Common metric: Code coverage 


ə Concolic (concrete + symbolic) execution: Symbolic 
execution guides test case generation 


Instrumentation 


© Ping/response check 
Detect process crash 
Memory leaks 

© Side effects 


© Functional misbehaviors 


Review: Fuzzing Techniques 


Random vs. Mutational vs. Generational 
© Black box vs. White box 

© Guided vs. Unguided 

© Instrumentation Options 


© Target type 


Fuzzing Strengths 


© Find bugs quickly 
Ensure robust public interfaces 
e Quicker than manual testing 


© Existing tools 


Fuzzing Weaknesses 


Some code paths are hard to find 
ə Checksums can kill mutational fuzzing 


© Logic bugs often involve bizarre combinations of 
functionality that generational fuzzers can miss 


© Exciting research: Generational and guided fuzzing, e.g. 
“AFLSmart” 


Intro — Outline 


© Fuzzing & Fuzzing Techniques 


Current Tools 
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© Fuzzing & Fuzzing Techniques 


Current Tools 


Current Tools 


© Open Source, 
Guided Fuzzing 


o American Fuzzy american fuzzy lop 0.47b (readpng) 
A” - process timing - ———- overall results - 
Lop AFL run time : 0 days, 0 hrs, 4 min, 43 sec cycles done : 0 
last new path : 0 days, 0 hrs, 0 min, 26 sec total paths : 195 
3 last uniq crash : none seen yet | uniq crashes : 0 
last uniq hang : 0 days, 0 hrs, 1 min, 51 sec | uniq hangs : 1 
© LibFuzzer cycle progress map coverage 
now processing : 38 (19.49%) map density : 1217 (7.43%) 
: paths timed out : 0 (0.00%) count coverage : 2.55 bits/tuple 
e stage progress i- findings in depth 
© Targets: File OT now trying : interest 32/8 favored paths : 128 (65.64%) 
stage execs 0/9990 (0.00%) new edges on : 85 (43.59%) 
API total execs : 654k total crashes : 0 (0 unique) 
exec speed : 2306/sec total hangs : 1 (1 unique) 
fuzzing strategy yields path geometry 
Zilli f AFL bit flips : 07430 4.4k, 5/1726: 4% 6/14. 4k levels 3 
byte flips : 0/1804, 0/1786, 1/1750 pending : 178 
© LIONS O arithmetics : 31/126k, 3/45.6k, 1/17.8k pend fav : 114 
fla ors and th r known ints : A 2757 6/78.2k İ imported : 0 
havoc : 34/254k, 0/0 variable : 0 
V O Ć 5 trim : 2876 B/931 (61.45X gain) latent : 0 


Miller et at. @ 1152) 


PROTOS EH 


SPIKE [13] Sharetuzz [14] 


SPIKE file (202) 


FileFuzz (201 


SNOOZE @ [29] fssuzzer [143] Sidewinder [78 


CalFuzzer © 1183) EFS & [68] SAGE @ [47]. 188), 150) 


LZFuzz & (40) 


AtomFuzzer & 1169) 


27773 DE KLEE B [4] 
stunłuzz [187] 
DOMiuzz [187] 
jFuzz @ [112 
BuzzFuzz @ [84] 
MreFuzz [151] 
SmartFuzz @ [154] 
- T BaFuzz & [44] 
FLAX @ [182 AzsetFuzzer @ [1 


TaintScope & (2191 
FuzzBALL @ [27]. [147]. [48] 


İkb- Anorıymity & [431 | Anonymity & [43] 


Doupe et al & [73] 


MagcFuzzer @ (47 Mahmood ef al @ [146] 


Current Tools 


https:/ /apps.dtic.mil/dtic/tr/fulltext/u2/a558209.pdf 


Miller et al. & [152] 


PROTOS 291120) 
Sharefuzz [14] 


| GPF [6] 
SPIKEfile [202] 
antiparser [149] 
FileFuzz [201] Autodafe & [214] 


fsfuzzer [143] 


Sulley [16] 


CalFuzzer £ [189] 


Fuzzbox [207] 


AtomFuzzer & [169] 


H RaceFuzzer & [190] 


DeadlockFuzzer & [116] 


ref_fuzz [234] 


Current Tools 


© Closed Source, Generational mem 
Protocol Fuzzing İTTİ TYY 39S Y EY TU 


Defensics status Al Results HTTP-Server [ide] 
o Defensics by Synopsys Eë f Tenn 
H 2 interoperabäty 
© Peach —— 
pr” Status: 
LÀ Test cases 


P» 6) Testnn 


© Vendors sell specific protocol 
definitions 


7) Results 


)R t 
+ps emedation 


Running time / average 

Running time / max 

Test cases per second 
sure hit rato 


Fi trat 
Mean tme between failures 


Current Tools 


Open Source, Generational 
Protocol Fuzzing 
Frameworks 


© Peach (super old version) 
© Spike 

© Sulley 

© boofuzz 


boofuzz 


© Goal: Easy and quick data generation for network protocols 
e Python 
© Features 

© Mulitple transport layers (TCP, UDP, SSL, IP, Eth, Serial) 

© Shiny Web UI 

Documentation 


© Used by hobbyists & Fortune 100 companies 


boofuzz: Fuzzing ‘Techniques 


Random vs. Mutational vs. Generational 
© Black box vs. White box 

© Guided vs. Unguided 

© Instrumentation Options 


© Target type: Network Protocols 
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© Lecture: Reverse Engineering ść Advanced Topics 


Basic Techniques 


Understand Your Protocol 
© Define Some Messages 


© Fuzz 


Basic ‘Techniques — Understand Your Protocol 


© RFCs/Specifications 
© Packet Captures 


© Experimentation 


boofuzz — Boilerplate 
from boofuzz import * 
# 
session = Session ( 
target=Target ( 
7:77 LO SOO ə ii E A maa Mese, 
icone M Or 
io 


boofuzz — Define Messages 
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boofuzz — Define Messages 
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boofuzz — Define Messages 
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boofuzz — Define Messages 


sumera lizza eene) 
s string ("RETR") 
Seed eee) 

s string ("AAAA") 
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secu 
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boofuzz — Connect Messages 
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© Lecture: Fuzzing Intro 

© Lecture: Basic Techniques with boofuzz 
© Exercise 1 — Target Practice 

© Exercise 2 — Target Practice 2 


© Lecture: Reverse Engineering & Advanced Topics 


Exercise 1 — Target Practice 


© Target: HTTP Server on Linux 
© Follow your handout 
© Go! 
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© Exercise 2 — Target Practice 2 
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© Lecture: Fuzzing Intro 

© Lecture: Basic Techniques with boofuzz 
e Exercise 1 — Target Practice 

© Exercise 2 — Target Practice 2 

© Exercise 3 — On Your Own 


© Lecture: Reverse Engineering ść Advanced Topics 


Exercise 2 — Target Practice 2 


© Target: Modified HTTP Server 
© Follow your handout 
e Go! 
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© Lecture: Fuzzing Intro 

© Lecture: Basic Techniques with boofuzz 
e Exercise 1 — Target Practice 

© Exercise 2 — Target Practice 2 

© Exercise 3 — On Your Own 
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© Lecture: Fuzzing Intro 

© Lecture: Basic Techniques with boofuzz 
Exercise 1 — Target Practice 

© Exercise 2 — Target Practice 2 

© Exercise 3 — On Your Own 


© Lecture: Reverse Engineering & Advanced Topics 


Exercise 3 — On Your Own 


© Target: smallftpd (FTP) 
ə Follow your handout 
e Go! 


Outline 


© Lecture: Fuzzing Intro 

© Lecture: Basic Techniques with boofuzz 
Exercise 1 — Target Practice 

© Exercise 2 — Target Practice 2 

© Exercise 3 — On Your Own 


© Lecture: Reverse Engineering & Advanced Topics 
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© Lecture: Fuzzing Intro 
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© Lecture: Reverse Engineering & Advanced Topics 


Reverse Engineering — Outline 


© Use Wireshark 
Analyze PCAPs 
© Context 

©??? 


© Fuzzer! 


Reverse Engineering — Analysis Tips 


@ Look at multiple samples 
© Look for static values or sometimes-changing values 
© Look for data structures 
© Sequences of zeros may be 
o Filler bytes for fixed length fields 
© Unused fields 
© Look at request vs reply format 
© Look for hints 
o What else is happening in the PCAP? 


Reverse Engineering — Analysis Example 


© Two request+reply pairs 
© Functionally similar 
e Different hosts 
© We will compare 
o Request A vs Request B 
o Request vs Reply 
o Reply A vs Reply B 


0000 
0010 
0020 
0030 
0040 
0050 
0060 


Request A 


00 04 00 01 00 06 00 00 17 00 e4 88 00 00 08 00 
45 00 00 60 e6 c3 40 00 40 06 3d c5 0a 00 01 05 
Oa 00 01 Ob d6 df 08 01 94 68 ae 69 f4 2f b6 0e 
80 18 00 d2 16 62 00 00 01 01 08 da 00 OF 48 a9 


0000 
0010 
0020 
0030 
0040 
0050 
0060 


Request B 


00 04 00 01 00 06 00 00 17 00 2a ed BO BO 08 00 
45 00 00 60 13 c7 40 00 40 06 12 af Qa 00 00 11 
Oa 00 00 12 03 1f 08 01 ff 30 1f 56 86 fd 15 cb 
80 18 00 d2 14 75 00 es el 01 08 0a 07 13 Oc 90 


0000 
0010 
0020 
0030 
0040 
0050 
0060 


Request A 


00 04 00 01 00 06 00 00 17 00 e4 88 00 00 08 00 
45 00 00 60 e6 c3 40 00 40 06 3d c5 0a 00 01 05 
Oa 00 01 Ob d6 df 08 01 94 68 ae 69 f4 2f b6 0e 
80 18 00 d2 16 62 00 00 01 01 08 da 00 OF 48 a9 


0000 
0010 
0020 
0030 
0040 
0050 


Reply A 


00 00 00 01 00 06 00 00 17 00 97 11 00 00 08 00 
45 00 00 50 ad ae 40 00 40 06 76 ea 0a 00 01 Ob 
da 00 01 05 08 01 de df f4 2f b6 Qe 94 68 ae 95 
80 18 00 d2 62 c3 00 00 01 01 08 Qa 1c 62 1b a3 


00 Of 48 a9 80 00 00 18 d1 82 5e 7d 00 00 00 01 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


0000 
0010 
0020 
0030 
0040 
0050 


Reply A 


00 00 00 01 00 06 00 00 17 00 97 11 00 00 08 00 
45 00 00 50 ad ae 40 00 40 06 76 ea 0a 00 01 Ob 
da 00 01 05 08 01 de df f4 2f b6 Qe 94 68 ae 95 
80 18 00 d2 62 c3 00 00 01 01 08 Qa 1c 62 1b a3 


00 Of 48 a9 80 00 00 18 d1 82 5e 7d 00 00 00 01 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


0000 
0010 
0020 
0030 
0040 
0050 


Reply B 


00 00 00 01 00 06 00 00 17 00 DI 07 00 00 08 00 
45 00 00 50 99 37 40 00 40 06 8d 4e 0a 00 00 12 
Oa 00 00 11 08 01 03 1f 86 fd 15 cb ff 30 1f 82 
SO 18 00 d2 26 46 00 00 01 01 08 Qa 07 11 8c fd 


07 f3 0c 90 80 00 00 18 5c 1c ef 1b 00 00 00 01 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


0000 
0010 
0020 
0030 
0040 
0050 


Reply B 


00 00 00 01 00 06 00 00 17 00 DI 07 00 00 08 00 
45 00 00 50 99 37 40 00 40 06 8d 4e 0a 00 00 12 
Oa 00 00 11 08 01 03 1f 86 fd 15 cb ff 30 1f 82 
80 18 00 d2 26 46 00 00 01 01 08 Qa 07 11 8c fd 


07 f3 0c 90 80 00 00 18 5c 1c ef 1b 00 00 00 01 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


Advanced Topics — Outline 


Custom Transport Layers 
© Future of boofuzz 


Conclusion 


Advanced Topics — Custom Transport Layers 


Implement the ITargetConnection interface 
eSocketConnection provides typical use case 


©SerialConnection for serial ports 


Advanced Topics — Custom Transport Layers 


session = Session ( 
target=Target ( 
connection=SerialConnection(port=l, 
baudrate=9600), 
) [4 


55700 0) e cases, 


Advanced Topics — Future 


More robust data model — use Python construct package? 
© More features 
© Less bugs 


o Hot tip: If you think you found a bug in boofuzz... you 
probably did! :P 


© Better built-in CLI 
© Quality Protocol Definitions 


Conclusion 


© We learned how to... 
© Define protocols in boofuzz 
© Identify bugs using a network protocol fuzzer 
© Reverse engineer an unknown network protocol 
© Remember: 
Commercial tools are great if your employer can pay for them 
© Open source tools are best for custom protocols... and more fun! © 


© There is a wide world of fuzzing tools & research 


Thank you and happy fuzzing! 


e https://github.com/jtpereyda/boofuzz 
© https://github.com/jtpereyda/boofuzz-ftp 
© https:/ /github.com/]tpereyda/boofuzz-http 


 @boofuzz 
© (@jtpereyda 


ə (atim clemans 


